RISK : ISSUES FOR BOARDS (MODULE 5) (8. Emerging risks (Cloud computing,…
RISK : ISSUES FOR BOARDS (MODULE 5)
1. Risk governance structure
Whether as a formal or informal process, all organisations manage risk. As an organisational process, this can be separated into six separate activities:
Understand the context.
Identify risks and determine tolerances.
Measure / quantify / assess risks.
Make decisions on the management of risks.
Monitor and report risks.
Oversee, evaluate, assess and fine-tune the risk management process.
2. Risk appetite
Set the Risk Appetite/Tolerance
= amount of risk exposure the organisation is willing to pursue/tolerate to meet it's goals
understand the purpose, values and strategy of the organisation
why are the shareholders here and what is their appetite for risk
what is the organisations capability
understand the environment in which the org is operating
Specific Risk tolerances
Hazard Risk, Asset management, safety, environment, regulatory
Different risks different appetite
Risk Register and Framework/Matrix
- management of risk
Consequence vs Likelihood
Accepted risk vs Risk mitigation
3. Structuring risk management
How should the board and management be structured to provide appropriate risk management and risk oversight?
Do we have an audit and risk committee or do we split it?
-- Full board, no commmittee
-- Audit and risk committee
-- Separate audit and risk committees
-- Relationship with other committees
-- executive committee
-- Chief Risk Officer
-- Use of internal Audit
-- Is the board comfortable, is the structure appropriate?
External assurance options - what is the 3rd party view of the internal risk and audit committee
4. Embedding risk into governance
Embed risk in all normal governance activities
(template for discussion, decision, noting as well as risk)
Top 6 risks to be added to the papers for discussion. Understand the strategy and risk
What quality of data do we want (qualitative and quantitative)
Ensure that the working risk management creates value
Takes human and culture into account
Risk mamnagement policy
Risk management framework
7. Crisis management
Boards take a different role in times of crisis
Preparation for crisis is an investment in organisation resilience
Board’s responsibility for crisis management is part of its fiduciary duty.
Therefore, the board must ensure:
• Management has developed and implemented a robust risk management system.
• Management has developed crisis management / business-continuity plans and procedures (have we ever tested it)
The board’s specific role and responsibilities at a time of crisis will depend on the nature of the crisis.
The board can, for example:
• Support the CEO in managing the crisis.
• Use the board’s network of contacts to alleviate / remedy the crisis.
• Mentor the management team to overcome the issue(s) facing the organisation.
• Source external support for the management team.
8. Emerging risks
Interdependence and contagion
Extreme weather events
VUCA - Volitility, Uncertainty, Complexity and Ambiguity
Virtual and Augmented Reality
6. Risk and culture
is the org culture aligned to the risk appetite of the organisation?
What do we need to have in place to align culture with risk policy?
Ensure there is education
Is communication of good and bad news encouraged?
Is there a code of conduct?
Is there a whistle-blower system in place?
How are incentives structured?
Do any policies drive unintended behaviour?
Does leadership team 'lead by example?